I want to use server-side includes, but how do I do it safely so that it's protected from injection exploits, for example?

ASP.NET doesn't have traditional server-side includes. You have the ability to write Web controls that you can include in top-level pages. In cases such as this, you have to specify the Web control statically so that it can be compiled along with the containing page so there aren't many risks of injection attacks specific to using the Web control. Hopefully this will serve all of your server-side include needs.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

However, if you need more dynamic server-side include capabilities, you can leverage the Response.WriteFile method to include the content of arbitrary files into the stream being sent back to the browser. See this MSDN article for more information.

This will allow you to dynamically choose the name of a file to include.

As with avoiding all injection flaws, data validation is crucial. You want to positively validate that 'filenameVariable' meets standards you set out. One suggestion is to use regular expressions to verify that the filename to be included only includes alphanumeric characters and possibly '.' characters. Just checking for well-known malicious sequences such as "../" is not good enough. With the various character sets and encodings used along the inputs path to reaching this code, you run the risk of canonicalization issues.

One other thing to note is that the contents of the included files are simply sent along verbatim -- there is no server-side processing. So if the included file contains ASP.NET code, the code will not be executed and will instead be disclosed to the remote user.

Using ASP.NET Web controls can help you to safely reuse code in the style of server-side includes. If you must have more dynamic control, be sure to carefully and positively validate the names of the files to be included. Also, be sure that included files don't contain any server-side code because it will not be processed.

0 comments

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy